hello everyone.
i have successfully setup privacyidea. i have enrolled myself ( the admin) usign the QR code that i can scan from the enrolment page. this works fine and im able to authenticate using MFA.
now i want to enroll a user using email. this is the part which im stuck at. ive looked on the forum and cant find any how to’s on how to configure this. if any has a link on how i can configure email enrolment i would be grateful.
What is “email enrolment”?
i would like to enroll a token on the system by sending and email to the user with a QRCode or something that they will use to activate the token.
Me as the admin, i can scan the QR code direct from the privacyidea GUI, but the user doesn’t have any access to PrivacyIdea GUI. so i need a way to enroll their token onto the system, so im thinking that PI has a way of sending a welcome/activation email to the user to activate the token somehow.
I’m not sure sending the token via email is particularly secure… Consider that “classic” TOTP tokens for example could be reused (scanned by multiple devices and producing the same OTP), which is something you’d generally want to avoid. As far as I understood, best practice would be showing the enrollment QR for the shortest time and suggest the user not to store it.
If you don’t want to let users use privacyIDEA UI you can always enroll the token through API, it would return the QR code as a base64 encoded image that you could use as you please.